CVE-2020-1048

sysmon-config | A Sysmon configuration file This is a forked and modified version of @SwiftOnSecurity's sysmon config It started as a is simply copy of the original repository We merged most of the 30+ open pull requests Thus we have fixed many of the issues that are still present in the original version and extended the coverage with important new extensions Maintaine

PrintDemon is a vulnerability that uses the Windows Printer Spooler to escalate privileges.

PrintDemon (CVE-2020-1048) PrintDemon is a vulnerability that uses the Windows Printer Spooler to escalate privileges, bypass Endpoint Detection & Response (EDR), and gain persistence The Windows Printer Spooler has a long history of vulnerabilities including a vulnerability (CVE-2010-2729) used by the well-known Malware called Stuxnet back in 2010 A printer must be a

PoC for CVE-2009-0229 "Print Spooler Read File Vulnerability" LPE AFR (related to CVE-2020-1048)

CVE-2009-0229-PoC PoC for CVE-2009-0229 "Print Spooler Read File Vulnerability" LPE AFR (related to CVE-2020-1048) Details Author: Andrei Costin (zveriu@gmailcom) twittercom/costinandrei/ PoC date: 2010-xx-xx Release date: 2020-05-14 (reminded/inspired by CVE-2020-1048 - yes, I am too late to the party :D ) TL;DR If you want 0days, dig Printing and Faxi

This is a PowerShell Empire launcher PoC using PrintDemon and Faxhell.

PrintDemon This is an PowerShell Empire launcher PoC using PrintDemon and Faxhell The module has the Faxhell DLL already embedded which leverages CVE-2020-1048 for privilege escalation The vulnerability allows an unprivileged user to gain system-level privileges and is based on @ionescu007 PoC

An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system, aka 'Windows Print Spooler Elevation of Privilege Vulnerability'.

CVE-2020-1048 An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges An attacker could then install programs; view, change, or delete data; or create new accounts with full user

PrintDemon is a PoC for a series of issues in the Windows Print Spooler service, as well as potetial misuses of the functionality.

PrintDemon (CVE-2020-1048) PrintDemon is a PoC for a series of issues in the Windows Print Spooler service, as well as potetial misuses of the functionality Please read windows-internalscom/printdemon-cve-2020-1048/ for all of the information

PrintDemon is a vulnerability that uses the Windows Printer Spooler to escalate privileges.

PrintDemon (CVE-2020-1048) PrintDemon is a vulnerability that uses the Windows Printer Spooler to escalate privileges, bypass Endpoint Detection & Response (EDR), and gain persistence The Windows Printer Spooler has a long history of vulnerabilities including a vulnerability (CVE-2010-2729) used by the well-known Malware called Stuxnet back in 2010 A printer must be a

CVE-2020-1337 a bypass of (PrintDemon) CVE-2020-1048’s patch

CVE-2020-1337 CVE-2020-1337 is a bypass of (PrintDemon) CVE-2020-1048’s patch via a Junction Directory, made to remediate an Elevation of Privileges (EoP)\Local Privilege Escalation (LPE) vulnerability affecting the Windows’ Print Spooler Service The vulnerability does require low privilege access and for the spooler service to restart The patch appeared in Micros

Invoke-PrinterDemon

PrinterDemon Invoke-PrinterDemon 脚本可以利用 cve-2020-1048 漏洞，写数据到系统的任意位置，需要重启 Spoolsv 服务 使用方法 \Invoke-PrinterDemonps1 Invoke-RawDataToPrinter -PrinterName PrinterDemon -PrinterPort "C:\Windows\system32\ualapidll" -FileName \ualapidll PrinterName 可以指定添加

POC exploit code for CVE-2020-1048(PrintDemon)

CVE-2020-1048 POC exploit code for CVE-2020-1048(PrintDemon) Vulnerable Systems All Windows version below mentioned in the link are vulnerable: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2020-1048 Steps to reproduce Change the variables g_PortName and g_InputFile present at the top of Sourcec Compile and run using Visual studio Restart the printe

Print Spooler Research Tools The repository contains the tools we developed during our Print Spooler research which we presented in Black Hat USA 2020 and DEF CON 28 Safe Mode ("A Decade After Stuxnet's Printer Vulnerability: Printing is still the Stairway to Heaven") Each tool/project contains it's own READMEmd file: SHDWriter: CVE-2020-1048 - Exploit Po

CVE-2020-1337 Windows Print Spooler Privilege Escalation

CVE-2020-1337 Windows Privilege Escalation this is a WWW(write-what-where) exploit credit Junyu Zhou (@md5_salt), who told me there could be a new bug Wenxu Wu (@ma7h1as), I find the bug and write this exploit how it works in the patch of CVE-2020-1048, Microsoft add the validation code of portname on XcvData function which could be triggered by call Add-Printer in Powershel

PowerShell and C++ PoCs for critical / high impact Windows Spooler vulnerabilities found in 2020-22

Ethical Hacking project PowerShell and C++ PoCs for critical / high impact Windows Spooler vulnerabilities found in 2020-22: CVE-2020-1337 CVE-2020-1048, aka PrintDemon CVE-2020-1030 CVE-2022-21999, aka SpoolFool The videos of the demonstration of the PoCs are provided inside the Video folder, while more information about each specific vulnerability can be found in the CVEs h

A Splunk Technology Add-on to forward filtered ETW events.

Splunk-ETW A Splunk Technology Add-on to forward filtered ETW events The main purpose of this plugin is to select, filter and forward ETW events to Splunk Build from source Splunk-ETW is written in C# and powered by cmake: git clone githubcom/airbus-cert/Splunk-ETW mkdir build cd build cmake \Splunk-ETW cmake --build --target package --config release

CVE-2020-1048 bypass: binary planting PoC

CVE-2020-1337 - Binary Planting (CVE-2020-1048 bypass) Peleg Hadar (@peleghd) and Tomer Bar at SafeBreach (@safebreach) were acknowledged by Microsoft by the CVE-2020-1048, a Windows Spooler Vulnerability that allows an elevation of privilege on Windows 7 and later Some details were disclosed by Alex Ionescu (@aionescu) and Yarden Shafir (@yarden_shafir) on his cool blog post

Sibyl-GPT Alert Parsing Script This script connects to the ElasticSearch Detection Engine API, retrieves alerts, allows users to choose one for investigation, and sends the chosen alert to OpenAI to get suggested investigation and remediation Acknowledgments The main inspiration for this work is from Mika's excellent article Requirements An OpenAI API key Python 36 or hi

Leveraging CVEs as North Stars in vulnerability discovery and comprehension.

CVE North Stars Leveraging CVEs as North Stars in vulnerability discovery and comprehension About CVE North Stars Tutorial: cve-north-starsgithubio Blog Post: clearbluejargithubio/posts/cve-north-stars/ CVE North Stars introduces a method to kickstart vulnerability research by taking advantage of the CVE information freely available (ie public blo

CyberSecurity Resources (Threat Intelligence, Malware Analysis, Pentesting, DFIR, etc)

Welcome to the CyberSecurity-Playground wiki! A good reference for my CyberSecurity Playground IP Addresses Blocking @echo off if "%1"=="list" ( netsh advfirewall firewall show rule Blockit | findstr RemoteIP exit/b ) :: Deleting existing block on ips netsh advfirewall firewall delete rule name="Blockit" :: Block new ips (while reading them from bl